Multiple vulnerabilities in IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2014-5119 CVE-2014-0475 |
| CWE-ID | CWE-20 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TMS RAMSAN 710 and 810 Machine Type 9834 -AS1 and -AE1 Other software / Other software solutions IBM FlashSystem 720 and 820 Machine Type 9831 –AS2 and -AE2 Other software / Other software solutions TMS RAMSAN 710 & 810 Machine Type 9833 -AS1 & -AE1 Other software / Other software solutions FlashSystem 710 & 810 Machine Type 9830 -AS1 & -AE1 Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU41360
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-5119
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.
MitigationInstall update from vendor's website.
Vulnerable software versionsTMS RAMSAN 710 and 810 Machine Type 9834 -AS1 and -AE1: before 6.3.2
IBM FlashSystem 720 and 820 Machine Type 9831 –AS2 and -AE2: before 6.3.2
TMS RAMSAN 710 & 810 Machine Type 9833 -AS1 & -AE1: before 5.6.2
FlashSystem 710 & 810 Machine Type 9830 -AS1 & -AE1: before 5.6.2
CPE2.3http://www.ibm.com/support/pages/node/690127
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU41440
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0475
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.
MitigationInstall update from vendor's website.
Vulnerable software versionsTMS RAMSAN 710 and 810 Machine Type 9834 -AS1 and -AE1: before 6.3.2
IBM FlashSystem 720 and 820 Machine Type 9831 –AS2 and -AE2: before 6.3.2
TMS RAMSAN 710 & 810 Machine Type 9833 -AS1 & -AE1: before 5.6.2
FlashSystem 710 & 810 Machine Type 9830 -AS1 & -AE1: before 5.6.2
CPE2.3http://www.ibm.com/support/pages/node/690127
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
